New JumpServer Bug Could Expose Admin Session Logs – Patch Now

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

JumpServer is a widely used open-source bastion host solution that provides secure remote login and operations auditing. It’s commonly deployed in enterprise networks to strengthen access control and compliance.

In September 2023, JumpServer released a patch addressing two related flaws:

• An unauthorized access issue in the /api/v1/terminal/sessions/ endpoint.
• A privilege bypass bug (not mentioned in the official advisory but already fixed).

Together, these issues (tracked as CVE-2023-42442) could allow attackers to not only list but also retrieve sensitive session replay logs — exposing keystrokes, executed commands, and even administrator activity.

Vulnerability Overview

The first issue arises from insufficient permission checks on the session API, letting unauthenticated users obtain a list of past session replays.

By chaining this with the privilege bypass bug, attackers can go further and download full replay files, essentially watching the activity of admins and operators.

This can lead to leakage of highly sensitive operational data, command histories, and potential access credentials — making it a serious enterprise security risk.

Detection Tools

1. X-POC Remote Scanner

xpoc -r 408 -t http://xpoc.org

• Download: https://github.com/chaitin/xpoc
• Tool info: https://stack.chaitin.com/tool/detail/id/1036

2. CloudWalker Local Scanner

./jumpserver_replay_leak_cve_2023_42442_scanner_linux_amd64

• Download: https://stack.chaitin.com/tool/detail/1231

Affected Versions

• v3.0.0 – v3.6.3
• If replays are stored in S3, OSS, or other external cloud storage, this issue does not apply.

Mitigation & Fix

Workaround:

• Restrict access to JumpServer using network ACLs or firewall rules (e.g., allow only trusted IP ranges).

Permanent Fix:

• Upgrade to the patched version 3.6.4 or above.
• Download here: JumpServer Releases

Product Support

• YunTu: Fingerprinting + PoC detection support
• DongJian: Supports PoC-based detection
• SafeLine WAF: Virtual patch already available to block exploit attempts
• QuanXi: Built-in detection support
• CloudWalker: Users on v23.05.001+ can update their emergency vuln library (EMERVULN-23.09.021) for detection.

Timeline

• Sep 15: Vulnerability reported to Chaitin
• Sep 18: Chaitin reproduced and analyzed the issue
• Sep 21: Public advisory released by Chaitin

References

• JumpServer GitHub
• Patch Commit
• Security Advisory GHSA-633x-3f4f-v9rw

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community